Comment on "Complete insecurity of quantum protocols for classical two-party 

computation" 
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In a recent paper (Phys. Rev. Lett. 109, 160501 (2012). arXiv:1201.0849), it is claimed that 
any quantum protocol for classical two-sided computation between Alice and Bob can be proven 
completely insecure for Alice if it is secure against Bob. Here we show that the proof is not sufficiently 
general, because the security definition it based on is only a sufficient condition but not a necessary 
condition. 



PACS numbers: 03.67.Dd, 03.67.Hk 
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Let us first look at the security definition in [!']. As 
stated in the paragraph below its FIG. 1, let e > and 
write p ~£ cr (i.e., p is £-close to cr) if the purified dis- 
tance y'l — (tr y/ yj'Jia^^)'^ between the density matrices 

p and a is not greater than e. Then a two-party quantum 
protocol corresponding to a completely positive trace- 
preserving (CPTP) map TT is defined as e-secure against 
dishonest Bob if for any real adversary B' there exists 
an ideal adversary B' such that [idpi. ® tta,B']{puvr) —e 
[idu (E) J'^ b,]{puvr)- Here A denotes the real honest 

Alice, B' the dishonest Bob, and A, B' the ideal ver- 
sions. Both parties obtain an input (Alice's u in register 
U and Bob's v in register V) drawn from the distribution 
p{u,v). [idji (g) nA,B']{puvR) is the output state of the 
protocol augmented by the reference i?, where puvR is a 
purification of vPi"^' I") ("Ic/ 1^) (^ly ^^"^ i^ 
ideal functionality which measures the inputs and out- 
puts orthogonal states that correspond to the function 
values of the classical two-sided computation. Please see 
[l[ for more detailed explanations of the notations. 

In simple words, as can be seen from Sec. 1.6 of [2] 
(i.e., Ref. [12] of [l|), the meaning of this definition can 
be understood as follows. Let a and (3 be the physical 
systems accessible to Alice and Bob, respectively. Denote 
the density matrices of a, P as pa, Pi3 when Bob plays 
honestly, or as p'^ , p'p when he applies a certain cheating 
strategy. If there is p'^ —e Pa, the cheating strategy will 
be nearly undetectable to Alice so that Bob can pass the 
security checks in the protocol successfully, while if there 
is p'p ~e pp, a dishonest Bob can hardly gain any extra 
information other than what is accessible to an honest 
Bob. Then the above security definition means that a 
protocol is secure against Bob if for any cheating strategy, 
there is always ~e p^. For simplicity, we call such a 
cheating strategy as a type I strategy. 

Obviously, if any cheating strategy currently known or 
potentially exists in the world belongs to type I, then 
the corresponding protocol is surely secure. Thus it is 
a sufficient condition for guaranteeing the security of a 
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protocol. But it is important to question whether the 
reversed statement is also true. That is, if a protocol 
is secure, does it necessarily guarantee that all cheating 
strategies have to be type I strategies? In fact, if there 
is a cheating strategy which does not satisfy p'^ ~e pa, 
then it will be detectable to Alice, so that the proto- 
col can remain secure against Bob no matter pp 
is satisfied or not. We call strategies satisfying neither 
p'^ ~e Pa nor p'p ~e pp as type II strategies. Actually, 
they are no strangers to quantum cryptography. In many 
existing protocols, there are security checks in which the 
parties agree to continue with the protocols only when 
some conditions are met. Otherwise they can choose to 
abort in the middle of the process, and the protocols out- 
put "fail" instead of the output obtained by honest play- 
ers. This implies that the protocols are designed against 
type II strategies. Thus it is clear that the existence of 
type II strategies does not necessarily hurt the security 
of protocols. If a protocol is secure, then both types 
I and II strategies are possible. That is, "all cheating 
strategies belong to type I" is not the necessary condi- 
tion for a protocol to be secure. Therefore, while the 
security definition in [T'] is a true statement, it cannot be 
used as "a two-party quantum protocol is e-secure against 
Bob if and only if for any real adversary B' there exists 
an ideal adversary B' such that [idn (g> '!TA,B']ipuvR.) —s 
[idfi ® J"^ g']{puvRy' , since the reversed statement "for 

any real adversary B' , there exists an ideal adversary B' 
such that [idR(g)TrA,B']ipuvR) -e [idR®T^^^,]{puvR) if 
the protocol is e-secure against Bob" is not true. There 
can be type II strategies which are not e-close to any 
ideal adversary. 

Now back to the no-go proof for two-sided computation 
in [l|. In brief, the key starting points of the proof are 
as follows. Suppose that there is a quantum protocol for 
classical two-sided computation which is already assumed 
to be secure against a dishonest Bob. To prove that it 
must be insecure against Alice, in the paragraph before 
Eq. (1) of Q, the following cheating strategy of Bob is 
considered. He plays the honest but purified strategy and 
outputs the purification of the protocol (register Y() and 
the output values /(w, v) (register Y). We call it strategy 
B'q hereafter. Since the protocol is e-secure against Bob, 
in the opinion of [ll| there exists a secure state crj^-^yyi 
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satisfying aRxv Prxy', where Y' = Y{Y . Applying 
Uhlmann's theorem on unxv —e Prxy', Eq. (1) of 
can be obtained, which further leads to the rest part of 
the no-go proof. 

However, according to our above discussion on the se- 
curity definition, "the protocol is e-secure against Bob" 
does not necessarily guarantees that "all cheating strate- 
gies (including strategy Bq) must be type I strategies", 
because the latter statement is not the necessary condi- 
tion of the former. If B'^ belongs to type II, then the 
protocol can still be secure against Bob, while the equa- 
tion cfRXY' —e Prxv no longer holds. Consequently, Eq. 
(1) does not necessarily remain valid so that the no-go 
proof will lose its base. Thus we can see that the proof in 
[l| may apply to a protocol for which _Bq can be proven 



to be a type I strategy (given that all other features of 
the protocols studied in [l| are also met). But it is not 
sufhcient general to cover all protocols, since there is no 
evidence (at least not provided in [1]) showing that B'^ 
always has to be a type I strategy for any protocol poten- 
tially exists. By designing proper security checks which 
can make Bq appear as a type II strategy, it is possible 
to build protocols not covered by the proof in [l| . There- 
fore, the door for finding secure quantum protocols for 
classical two-party computation is not closed completely. 
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